Overview
overview
10Static
static
10JaffaCakes...6d.zip
windows7-x64
1JaffaCakes...6d.zip
windows10-2004-x64
108751be484...2d.dll
windows7-x64
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows7-x64
30a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows7-x64
100di3x.exe
windows10-2004-x64
10104.248.22...A.html
windows7-x64
3104.248.22...A.html
windows10-2004-x64
3104.248.22...d.html
windows7-x64
3104.248.22...d.html
windows10-2004-x64
3104.248.22...r.html
windows7-x64
3104.248.22...r.html
windows10-2004-x64
3104.248.22...g.html
windows7-x64
3104.248.22...g.html
windows10-2004-x64
3104.248.22...9.html
windows7-x64
3104.248.22...9.html
windows10-2004-x64
3104.248.22...ain.js
windows7-x64
3104.248.22...ain.js
windows10-2004-x64
311.html
windows7-x64
311.html
windows10-2004-x64
312.html
windows7-x64
912.html
windows10-2004-x64
34a30275f14...ab.dll
windows7-x64
104a30275f14...ab.dll
windows10-2004-x64
102019-09-02...10.exe
windows7-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows7-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows7-x64
1031.exe
windows10-2004-x64
10General
-
Target
JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d
-
Size
221.1MB
-
Sample
241224-vdwynsskdw
-
MD5
0c1df79aedd19bad104f962cfa9495a2
-
SHA1
62f9b3c0e8d3f29663c2bafde2602d7cda044fcc
-
SHA256
4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d
-
SHA512
b1f89e94914584186da5f6cd2755b35c134402f66f1c0d6dea22feafe84fe5b96f6e46460edce3c1c5a8ce0d0f766f6921b8c196e97172fcdbeeb0057b6f36db
-
SSDEEP
3145728:rdm8ZSmWUMbGIngwOqslykYmO6PCtzCtFRU/mvL91UppmkSKmfLeUuO5jPOL0aj0:fSmhMbGqylyzs/imvL91UYLfLd1PHp
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
0di3x.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
0di3x.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
104.248.221.3/systemerror-ie-edge/_data_image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMA/xhBQAA.html
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
104.248.221.3/systemerror-ie-edge/_data_image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMA/xhBQAA.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
104.248.221.3/systemerror-ie-edge/dsffddfdfdsawqwq22121sdsd.html
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
104.248.221.3/systemerror-ie-edge/dsffddfdfdsawqwq22121sdsd.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
104.248.221.3/systemerror-ie-edge/img/blur.html
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
104.248.221.3/systemerror-ie-edge/img/blur.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
104.248.221.3/systemerror-ie-edge/img/headshot-bg.html
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
104.248.221.3/systemerror-ie-edge/img/headshot-bg.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
104.248.221.3/systemerror-ie-edge/indexe2c9.html
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
104.248.221.3/systemerror-ie-edge/indexe2c9.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
104.248.221.3/systemerror-ie-edge/js/main.js
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
104.248.221.3/systemerror-ie-edge/js/main.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
11.html
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
11.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
12.html
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
12.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
2019-09-02_22-41-10.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
31.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
31.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
cobaltstrike
305419896
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
-
watermark
305419896
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
-
build_id
19
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
-
build_id
103
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
-
build_id
140
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
-
build_id
131
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
njrat
0.7d
HacKed
srpmx.ddns.net:5552
c6c84eeabbf10b049aa4efdb90558a88
-
reg_key
c6c84eeabbf10b049aa4efdb90558a88
-
splitter
|'|'|
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
njrat
0.7d
HACK
43.229.151.64:5552
6825da1e045502b22d4b02d4028214ab
-
reg_key
6825da1e045502b22d4b02d4028214ab
-
splitter
Y262SUCZ4UJJ
Extracted
zloader
googleaktualizacija
googleaktualizacija1
https://iqowijsdakm.ru/gate.php
https://wiewjdmkfjn.ru/gate.php
https://dksaoidiakjd.su/gate.php
https://iweuiqjdakjd.su/gate.php
https://yuidskadjna.su/gate.php
https://olksmadnbdj.su/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
-
build_id
155
Extracted
formbook
4.0
w9z
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
worstig.com
Extracted
gozi
-
build
300869
-
exe_type
loader
Extracted
gozi
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
qakbot
324.141
spx129
1590734339
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
173.173.77.164:443
207.255.161.8:2222
68.39.177.147:995
178.193.33.121:2222
72.209.191.27:443
67.165.206.193:995
64.19.74.29:995
117.199.195.112:443
75.87.161.32:995
188.173.214.88:443
173.22.120.11:2222
96.41.93.96:443
86.125.210.26:443
24.10.42.174:443
47.201.1.210:443
69.92.54.95:995
24.202.42.48:2222
47.205.231.60:443
66.26.160.37:443
65.131.44.40:995
24.110.96.149:443
108.58.9.238:443
77.159.149.74:443
74.56.167.31:443
75.137.239.211:443
47.153.115.154:995
173.172.205.216:443
184.98.104.7:995
24.46.40.189:2222
98.115.138.61:443
35.142.12.163:2222
189.231.198.212:443
47.146.169.85:443
173.21.10.71:2222
24.42.14.241:443
188.27.6.170:443
89.137.77.237:443
5.13.99.38:995
93.113.90.128:443
72.179.242.236:0
73.210.114.187:443
80.240.26.178:443
85.186.141.62:995
81.103.144.77:443
98.4.227.199:443
24.122.228.88:443
150.143.128.70:2222
47.153.115.154:443
65.116.179.83:443
50.29.181.193:995
189.140.112.184:443
142.129.227.86:443
74.134.46.7:443
220.135.31.140:2222
172.78.87.180:443
24.201.79.208:2078
97.127.144.203:2222
100.4.173.223:443
59.124.10.133:443
89.43.108.19:443
216.163.4.91:443
67.83.54.76:2222
72.204.242.138:443
24.43.22.220:995
67.250.184.157:443
78.97.145.242:443
203.198.96.239:443
104.174.71.153:2222
24.28.183.107:995
197.160.20.211:443
79.117.161.67:21
82.76.239.193:443
69.246.151.5:443
78.96.192.26:443
216.201.162.158:995
108.21.107.203:443
107.2.148.99:443
189.236.218.181:443
75.110.250.89:443
211.24.72.253:443
207.255.161.8:443
162.154.223.73:443
50.104.186.71:443
100.38.123.22:443
96.18.240.158:443
108.183.200.239:443
173.187.170.190:443
100.40.48.96:443
71.80.66.107:443
67.197.97.144:443
69.28.222.54:443
47.136.224.60:443
47.202.98.230:443
184.180.157.203:2222
104.221.4.11:2222
70.173.46.139:443
213.67.45.195:2222
71.31.160.43:22
189.159.113.190:995
98.148.177.77:443
98.116.62.242:443
68.4.137.211:443
108.227.161.27:995
173.187.103.35:443
117.216.185.86:443
75.132.35.60:443
98.219.77.197:443
24.43.22.220:443
207.255.161.8:2087
72.190.101.70:443
189.160.217.221:443
207.255.161.8:32102
24.226.137.154:443
66.222.88.126:995
108.58.9.238:995
1.40.42.4:443
47.152.210.233:443
72.45.14.185:443
82.127.193.151:2222
101.108.113.6:443
98.13.0.128:443
175.111.128.234:995
175.111.128.234:443
216.137.140.236:2222
24.191.214.43:2083
72.177.157.217:443
72.29.181.77:2078
203.106.195.139:443
98.114.185.3:443
Extracted
formbook
4.1
app
niresandcard.com
bonusscommesseonline.com
mezhyhirya.com
paklfz.com
bespokewomensuits.com
smarteralarm.info
munespansiyon.com
pmtradehouse.com
hotmobile-uk.com
ntdao.com
zohariaz.com
www145123.com
oceanstateofstyle.com
palermofelicissima.info
yourkinas.com
pthwheel.net
vfmagent.com
xn--3v0bw66b.com
comsystematrisk.win
on9.party
isnxwa.info
my-smarfreen3.com
eareddoor.com
kfo-sonnenberg.com
conceptweaversindia.online
ledgermapping.com
fashionartandmore.com
broemail.com
bs3399.com
minds4rent.com
182man.com
dionclarke.com
naakwaley.com
huoerguosicaiwu.net
langongzi.net
haz-rnatresponse.com
confidentcharm.com
yshtjs.com
phiscalp.com
walletcasebuy.com
history.fail
al208.com
kitkatwaitressing.com
fxmetrix.com
riyacan.com
garrettfitz.com
worldaspect.win
serviciodomicilio.com
yngny.com
acaes.info
jujiangxizang.com
mysteryvacay.com
extensiverevive.com
feelgoodpainting.com
dtechconsultants.com
manufacturehealth.com
khmernature.com
archaicways.com
westlakegranturismo.com
transporteselruso.com
cultclassics.net
anne-nelson.com
warminch.com
bihusomu40.win
norjax.com
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Targets
-
-
Target
JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d
-
Size
221.1MB
-
MD5
0c1df79aedd19bad104f962cfa9495a2
-
SHA1
62f9b3c0e8d3f29663c2bafde2602d7cda044fcc
-
SHA256
4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d
-
SHA512
b1f89e94914584186da5f6cd2755b35c134402f66f1c0d6dea22feafe84fe5b96f6e46460edce3c1c5a8ce0d0f766f6921b8c196e97172fcdbeeb0057b6f36db
-
SSDEEP
3145728:rdm8ZSmWUMbGIngwOqslykYmO6PCtzCtFRU/mvL91UppmkSKmfLeUuO5jPOL0aj0:fSmhMbGqylyzs/imvL91UYLfLd1PHp
Score1/10 -
-
-
Target
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe
-
Size
144KB
-
MD5
9e9bb42a965b89a9dce86c8b36b24799
-
SHA1
e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
-
SHA256
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
-
SHA512
e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
-
SSDEEP
3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY
-
Zloader family
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
-
Size
355KB
-
MD5
b403152a9d1a6e02be9952ff3ea10214
-
SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5
-
SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51
-
SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8
-
SSDEEP
6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF
Score3/10 -
-
-
Target
0di3x.exe
-
Size
111KB
-
MD5
bd97f762750d0e38e38d5e8f7363f66a
-
SHA1
9ae3d7053246289ff908758f9d60d79586f7fc9f
-
SHA256
d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
-
SHA512
d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39
-
SSDEEP
1536:4SYTPSLUTRZaEioqsQRPRXplmbH50B+dLDOZrZRzKZvJj5RmLFs8hN:43OLUra1oqxvplQ50BrStJ9RmLFs
Score10/10-
Smokeloader family
-
Loads dropped DLL
-
-
-
Target
104.248.221.3/systemerror-ie-edge/_data_image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMA/xhBQAAAAFzUkdCAK7OHOkAAAAPUExURQAAAAICAgAAAP/5WVlXiCGdAAAAADdFJOUwD8ZX+n/7gAAABvSURBVHja7dbBAUAwEABB/ykAAAAAAAAAAAAAAAAAgNcF
-
Size
178B
-
MD5
7e2c427186d4e1bac52813383423e82e
-
SHA1
bdede1efdd02eec3e5ee34eb555e44227d2bb2f1
-
SHA256
887c8ada6058f01125a5131f1c495ba5f0171b2c40466ea824494403b87c1a22
-
SHA512
09fa2c8d7d9a732abe7f118bfa20c1b7c47bec9b40e221366dae05bd01811f029d85544ff35b517e54faaf4b35a672e50e5fca232460fe3c0844132bdf0c818d
Score3/10 -
-
-
Target
104.248.221.3/systemerror-ie-edge/dsffddfdfdsawqwq22121sdsd.html
-
Size
84B
-
MD5
52bf3ccddb64ba07d5d6d79fdfba4765
-
SHA1
f369871f7f1efa470a92ebb8ab98ad26b6754965
-
SHA256
11359d75d1ccf8ead98ba93030fb3e9050157c154ac53255f9dda71f1465c3d7
-
SHA512
56e5407cadabdf85fe16cb1fba51fffa92a8be23c2b8dcaa108a69cfb511318b2ec7f45c3782aeb49908d840a67ce62d4c18d3d1ffb7574f3edb73d355485939
Score3/10 -
-
-
Target
104.248.221.3/systemerror-ie-edge/img/blur.html
-
Size
178B
-
MD5
7e2c427186d4e1bac52813383423e82e
-
SHA1
bdede1efdd02eec3e5ee34eb555e44227d2bb2f1
-
SHA256
887c8ada6058f01125a5131f1c495ba5f0171b2c40466ea824494403b87c1a22
-
SHA512
09fa2c8d7d9a732abe7f118bfa20c1b7c47bec9b40e221366dae05bd01811f029d85544ff35b517e54faaf4b35a672e50e5fca232460fe3c0844132bdf0c818d
Score3/10 -
-
-
Target
104.248.221.3/systemerror-ie-edge/img/headshot-bg.html
-
Size
178B
-
MD5
7e2c427186d4e1bac52813383423e82e
-
SHA1
bdede1efdd02eec3e5ee34eb555e44227d2bb2f1
-
SHA256
887c8ada6058f01125a5131f1c495ba5f0171b2c40466ea824494403b87c1a22
-
SHA512
09fa2c8d7d9a732abe7f118bfa20c1b7c47bec9b40e221366dae05bd01811f029d85544ff35b517e54faaf4b35a672e50e5fca232460fe3c0844132bdf0c818d
Score3/10 -
-
-
Target
104.248.221.3/systemerror-ie-edge/indexe2c9.html
-
Size
30KB
-
MD5
c3d72f83e398064acdc21509226b47fa
-
SHA1
df3afbd526151107acce3bae7d25f1cf33349b4c
-
SHA256
e8da6f7472b2ce092fddf64bce7ea2960ed63ea92ba4dfbfa93bff5bf7913025
-
SHA512
b77ea23c163d100fcaa4f3ef2020072793fc4605145c13c26302faad6baf4f27a3cb827340eef61b2c154b89ccabe5b8f773c1f34b9f39786fa6979271fffdcd
-
SSDEEP
384:H+51uEhO56OIop2I8NKFWuS6F+TtObFhuw6F+TtOFE31+/VUxfh07oQNI7gW0M:e5fq+bz+oElsVUxfh07ocI7gg
Score3/10 -
-
-
Target
104.248.221.3/systemerror-ie-edge/js/main.js
-
Size
2KB
-
MD5
912734e981f454609fcde1c63a4467b3
-
SHA1
6c475e786a6858804719d90c809fd5bffe317d2f
-
SHA256
e8af3476f0800500930ac809b2316f11bdcdaeb88f7309f523e4d0c2e5f58db7
-
SHA512
5471bfdda02cb56860d7a205b54b5fb96fc7f7ff1f781d5ded3f2b15e975d9796460e3c7f8e5bf02eeb8ec226996c95cbe6b11d20a1cec9b36496f7c9793e590
Score3/10 -
-
-
Target
11.html
-
Size
7KB
-
MD5
ad4a9397a513760d6b7b7c95949a0421
-
SHA1
d6284164627c386d2a2a2577c4e94cd22ba9fcf7
-
SHA256
31ee9a4d7bedce33c62b7bb5cca7551813ff7fd9c486293f749a58f4486f0300
-
SHA512
d49b4ee6eee88e2d0f81ca03871cd38e482aa26dec4016359237b0a71b297721e068047abefe09f714ddb77f4b63fcca88de80cfc4f27c0d94faf26158bc2cb0
-
SSDEEP
192:zzbRccMfnoFoj6FQjHRiO7hp/iL7z6/Jz0fuz55555555555555555555555555b:DRcNfZ/na7z6hz0fuz5555555555555V
Score3/10 -
-
-
Target
12.html
-
Size
2KB
-
MD5
3e1beb3a3cc648f798284e78e948cb0a
-
SHA1
02c1f8d16a5667c3fce31354fe4a8a134bfc30b1
-
SHA256
15d6940e18fbce99ff0b7509c09c32ada4760a5e3a5f64d8ad8b3b8c8f564fbb
-
SHA512
dc0c5a5e9cf8e99c749c07fe7adcfbf20ab5db84e249861c4fad2577e0136d6dbabc5a7b96e8b99d0b86479c6a30a910857b7b7db39c884532eaccb08b9aabe2
Score9/10-
Renames multiple (252) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in System32 directory
-
-
-
Target
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab
-
Size
524KB
-
MD5
4aa199c19c28cd1d176b7f6ff59bd713
-
SHA1
ec321c45f365ad178bbbef4f873578ffc52b6114
-
SHA256
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab
-
SHA512
b764a3378677a4d7ceba3d57442b98028581c0c2841bdac287c5caced0f350638a2c1c0a6136873d29627420b208789873c0d5a5ad4d28e3f1e3758e3a12a6f5
-
SSDEEP
3072:3izUDxPs3Wo9MuFaNJXzWPfdidHzaCiZv1DwWD3aw8Vnx/VJqX8IoxKOgl9aYz4h:SuyRLavQTjd8VzJSnyK1UYzSx
-
Zloader family
-
-
-
Target
2019-09-02_22-41-10.exe
-
Size
251KB
-
MD5
924aa6c26f6f43e0893a40728eac3b32
-
SHA1
baa9b4c895b09d315ed747b3bd087f4583aa84fc
-
SHA256
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
-
SHA512
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
-
SSDEEP
6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score10/10-
Smokeloader family
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
2c01b007729230c415420ad641ad92eb.exe
-
Size
1.3MB
-
MD5
daef338f9c47d5394b7e1e60ce38d02d
-
SHA1
c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e
-
SHA256
5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58
-
SHA512
d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4
-
SSDEEP
24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR
-
Hawkeye family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
31.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
SSDEEP
393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Danabot family
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Formbook family
-
Gozi family
-
Qakbot family
-
Raccoon Stealer V1 payload
-
Raccoon family
-
AgentTesla payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Formbook payload
-
Looks for VirtualBox Guest Additions in registry
-
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
3Virtualization/Sandbox Evasion
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
8System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2